{
  config,
  lib,
  pkgs,
  ...
}:
with lib; let
  cfg = config.local.jobs.pkiExpiry;
  inherit (config.local) pki;
in {
  options.local.jobs.pkiExpiry = {
    enable = mkEnableOption "PKI expiration reminder";
  };

  config = mkIf cfg.enable {
    systemd = {
      services.pki-expiry = {
        after = ["postfix.service"];
        path = ["/run/wrappers"];

        environment.PKI_PUBLIC = let
          mkdir = "mkdir -p $out/{ca,cert,crl}";

          cas = mapAttrsToList (_: ca: "ln -s ${ca.cert} $out/ca/${ca.path}") pki.ca;
          crls = mapAttrsToList (_: ca: "ln -s ${ca.crl} $out/crl/${ca.path}") pki.ca;

          certs =
            mapAttrsToList
            (path: leaf: "ln -s ${leaf.cert} $out/cert/${path}")
            (filterAttrs (_: object: ! object ? leaves) pki.byPath);

          pkiPublic = pkgs.runCommandLocal "pki-public" {} (concatLines ([mkdir] ++ cas ++ crls ++ certs));
        in "${pkiPublic}";

        serviceConfig = {
          Type = "oneshot";
          StateDirectory = "pki-expiry";
          WorkingDirectory = "/var/lib/pki-expiry";

          ExecStart = let
            script = pkgs.writeShellApplication {
              name = "pki-expiry";
              text = readFile ./pki-expiry.sh;
              runtimeInputs = with pkgs; [diffutils openssl];
            };
          in "${getExe script}";
        };
      };

      timers.pki-expiry = {
        wantedBy = ["timers.target"];

        timerConfig = {
          OnStartupSec = "10m";
          OnUnitInactiveSec = "3d";
        };
      };
    };
  };
}